My friend sent me this blog post [1] (I believe the author is on this
list) and though I agree with it generally there is one sentence that
really stood out to me "it's a fantastic solution to _authenticate other
web apps_". After mulling this over I think that this sentence should
have been the author's final conclusion.
OAuth is all about delegating access to a third party without revealing
your credentials, which makes a lot of sense when there is a third
party. In the OAuth example; giving access to my photos stored on a
website a la Flikr to a company a la Shutterfly that prints photos where
I may want to limit the time and/or scope of the third parties access
without revealing credentials.
A similar OAuth use-case in the Twitter realm is Twitpic or Tipjoy where
the third party service needs to access my account to provide some
service, again, without revealing credentials and while reserving the
right to revoke that access granularly.
When using a desktop application there is no third party to reveal your
credentials to, the desktop application *IS* the user, where is the
delegation? As an example, think of an email client; nobody thinks
twice about putting their IMAP credentials into Thunderbird and there is
not really any security threat in doing so. If the user wants to revoke
access, they uninstall the application or simply stop using it.
I'll call these applications -- which could be applications on a
desktop, a blackberry, an iPhone, etc. -- "Proxy Apps" as they they do
not act as a delegate of the user, but as a proxy for the user.
So, as of this morning I have backed OAuth support out of our desktop
application and will continue to use basic auth from now until a
suitable replacement is developed (see next).
Now I'm not one to criticize without being constructive. I believe that
a credential-based authentication scheme should persist in the Twitter
API specifically for proxy applications, though I don't believe that
HTTP Basic Auth is that scheme.
If Twitter would make a form of Digest authentication available the
proxy apps would need to only store a hash of the user's credentials
locally. Storing only a hash of the user's credentials would eliminate
two of the largest issues with credential-based auth; storing plaintext
credentials, and sending plaintext credentials across the network.
On 26 Mar 2009, at 16:14, Joshua Perry wrote:
>
>
> My friend sent me this blog post [1] (I believe the author is on this
> list) and though I agree with it generally there is one sentence that
> really stood out to me "it's a fantastic solution to _authenticate
> other
> web apps_". After mulling this over I think that this sentence should
> have been the author's final conclusion.
>
Ideally Twitter would have implemented token based authentication from
the start as Flickr did, which would have avoided this whole migration
of authentication techniques.
However Twitter have said that OAuth is their preferred authentication
approach for the future, to roughly quote Doug from Tuesday night's
Twitter Devnest meeting. Given that I feel it is much more confusing
to have one means of authenticating desktop applications and another
for web applications.
For a good desktop OAuth like experience look at the MarsEdit and
Flickr integration.
It is all about the language used on the interfaces
From media panel click link to go to Flickr to authorise Marsedit's
access to Flickr (photos are on Flickr)
Authorise on flickr.com
Back to Marsedit, screen now says using an obvious button, "verify
access" (ie pick up previously requested token)
Click this link, Marsedit in the background gets the token and
refreshes the with your photos from Flickr.
More steps than entering an email address and password, I'll agree,
but this will be the common pattern across both web apps and desktop
apps.
OAuth is also permission based, rather than letting the third party
application act as if it were the person
It is clear what permission are being delegated and no surprises like
tweets being sent without your permission.
With a password based system this is not possible.
One authentication system in the future is definitely to be preferred
in my view to one for the desktop and one for the web.
For another example of how this can work look at Yahoo's Fire Eagle,
which uses OAuth for both desktop and web auth.
I'm not saying OAuth is a panacea, but it is better than handing over
a password.
thanks
Gavin
--
Gavin Bell
w - takeoneonion.org (weblog) and gavinbell.com
e - me at gavinbell dot com
zzgavin most places on the web
> Ideally Twitter would have implemented token based authentication from
> the start as Flickr did, which would have avoided this whole migration
> of authentication techniques.
>
> However Twitter have said that OAuth is their preferred authentication
> approach for the future, to roughly quote Doug from Tuesday night's
> Twitter Devnest meeting. Given that I feel it is much more confusing
> to have one means of authenticating desktop applications and another
> for web applications.
I think it's hard to say "ideally." Ideally *from a security perspective*,
sure, but it has been observed and said by many people, not merely yours
truly, that Twitter's API would probably not have the wide utilization it
does if they had insisted on a token based auth from the very beginning.
How many scripts are out there that are basically curl and a cron job? A lot.
Unless they can migrate turning off Basic Auth will shut them down, which
may or may not be a bad thing, but it was so easy to implement that they
became Twitter users. That does count for something.
This again should not be construed as a vote of no confidence in OAuth
because I'm converting TTYtter (a desktop app) to it too, and there are clear
advantages for certain functional domains. But I think it needs to be
pointed out that OAuth is not always *the* solution, nor always the best
solution in a field of inferior ones.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- "I am Pentium of Borg. Division is futile. You will be approximated." ------
It is hard to beat cron and curl, but tools like
http://intridea.com/2009/3/23/twitter-auth-for-near-instant-twitter-apps
will make it easier to get past the auth setup and on to making an
interesting app.
OAuth is still pretty young compared to basic auth, the tools will get
better I think
I still think that OAuth as a single framework for web and desktop is
a desirable model to aim for.
Migrating the current Basic Auth acquired users to OAuth tokens will
be a challenge though.
registering your OAuthness with twitter.com or responding to a
particular API call could then start a token issuing process?
>
>> I'm not saying OAuth is a panacea, but it is better than handing over
>> a password.
>
> That's the crux of it. It's not a panacea (the UX sucks, especially
> for iPhone apps), but the fact is it's only marginally better than
> handing over a password. I mentioned this in my blog post (linked
> above), but if I'm a native app, I can get your password if I want it
> - OAuth or not. It's nothing more than the illusion of security in
> this case.
It's not an illusion of security, it's a shift of control. In the
current system, the third party application has the user's credentials.
If the third party app goes rogue and performs malicious actions,
under OAuth, Twitter can revoke the application's rights wholesale, or
the user can revoke the application's rights to their account only.
> To the twitter-folk: for implementation simplicity, I think you should
> run with token-based authentication and deprecate Basic Auth. All I
> ask in return is a "special" API method to exchange a username
> +password for an access token. This way I can collect a username
> +password client side (without directing the user to a webpage) and
> authenticate.
Ah, but then your application would have the user's password.
The scheme you propose is a good intermediary step for a transition,
but not as a long term solution.
> From the user's perspective, it's just as easy as OAuth.
Although much harder to revoke!
-j
---
John Adams
Twitter Operations
j...@twitter.com
http://twitter.com/netik
The iPhone is a different case, I agree that is will lead to awkward
user experiences, I've done an OAuth dance on an iPhone and it is not
pretty. Though it does work with the various Fire Eagle apps on the
iPhone, so twitter developers are not the first to experience these
issues.
However I was talking about desktop apps in my earlier email. I
diagrammed the OAuth from desktop issues in 2007
http://www.flickr.com/photos/gavinbell/2086140377/
Take this to the OAuth IETF group
http://groups.google.com/group/oauth
They are aware of these issues
I'm not saying OAuth has solved all the problems, but it is better
than giving away your whole identity and a single auth framework means
it is more likely to become a solved problem
I am working with PHP scripts mostly, so using Abe's fantastic
TwitterOauth lib makes this rather simple, but I can see how things
like a cron job w/ curl or a bash script would be much more difficult.
Not sure if a perl lib has been created by anyone yet.
Anyone else dealing with the script/automation issue in a different manner?
-Chad
That's pretty much going to be my plan. Dummy "Script Automation of
Doom" Application and then just a basic webapp that auths and does
it's thing for that to get the token that then gets dumped into a
config file.
-steve
On the web this is via the nice callback,
From the desktop you need to tell your app to go and fetch it. I
believe the MarsEdit example to be easier than checking your email for
a link to click on, something people do on a regular basis.
Command line scripts can check to see if it exists on their next
access for that user.
On the iPhone it is more of a dance, see the Fire Eagle apps for the
experience
http://fireeagle.yahoo.net/developer/documentation/oauth_best_practice
The Pownce app did show that this is an issue
http://immike.net/blog/2008/09/08/oauth-on-the-iphone/
The pownce:// handler is a nice idea, saves hunting around for your
app again, have safari launch it for you.
There is a mailing list for OAuth in Objective C
http://groups.google.com/group/oauth-objective-c
Perl library has been around since 2007, http://nearlyfree.org/oauth-perl
OAuth has a wide range of language and framework support already
http://oauth.net/code
If Basic Auth is going to go away at some point in time; well, then
we'll have to have this to actually authenticate and authorize the
scripts unless some other means becomes available. If Basic Auth is
never ever ever ever ever going to go away then you are correct we
don't need to worry about doing such delegation to our scripts. I
posed the same question earlier and never saw a response or a
suggestion that there might be an alternate plan in the works for
those of us that do backend internal work of such things, so I'm
currently planning the OAuth route.
-steve
Now, if that stance has changed and Basic Auth will be available
forever more, then I am more than happy not to waste my time building
OAuth into all of my scripts (I really have better things to do), and
Mr. @funkatron will win the day. So far there has been no indication
of this, so I am preparing (as well as other devs) for the forthcoming
(unannounced as of yet) flag day when The Basic Auth In The Sky Mad
Scientist Switch Gate is flipped off by Al3x and Matt wearing lab
coats and big goggles while laughing maniacally with Jacob's Ladders
sparking madly behind them (I want video of this).
It's not because we *want* to, it's because we *have* to.
I'm going to trump Dossy here and give his requisite "love the bomb"
speech, blah blah blah... done.
Now, let's look at it from another perspective really quick. It could
be the case that Twitter decides to leave Basic Auth on forever along
side OAuth. It may be that in the twitter app ecosystem (web or
desktop/iphone), that apps that use Basic Auth will be shunned by
users and ultimately fail b/c everyone is so ga-ga over OAuth finally
being the "solution" for Twitter user security/protection (it's not
really, but the illusion is all people want to believe). Thus, apps
that want to survive may be forced by peer-pressure to implement OAuth
to gain user adoption.
The opposite may happen, as has been suggested, that since Basic Auth
is so easy for both devs and users alike, that it may still reign
supreme as the preferred authentication method, and instead the OAuth
apps will be shunned for being too user unfriendly.
Who knows what would really happen? It might be a fun experiment to
find out, but it's ultimately up to Twitter. Right now the plan laid
out before us is "OAuth or Nothing", so that's what we're all planning
for.
-Chad
This low bar is what has allowed me ANY access to the Twitter API,
because low-bar shell scripts are what I can do. So I just wanted to
say "thanks" for not shutting us off hastily, and if you need folks to
talk to about "how high is too high to keep the low bar from getting
too high" then, well, I'm your guy :-)
- @T"I took a couple of courses in Pascal and decided I didn't want to
be a CS major, so I just diddle around with shell scripts"J
I can tell by the lack of responses to my posts that people don't
totally agree with my feelings on the subject. I don't try to be
confrontational, I just tend to be very literal and a bone-headed
purist. Though, throughout the discussion I have tried to limit my
posts to facts and statements directly from the OAuth specification itself.
I've left the code for OAuth in our application so that it can be
reenabled with a simple compile switch. The overall flow was fairly
smooth, though not as simple as basic, and the couple of tickets that
are open on the topic are deal breakers for us right now. We'll present
it to our users for their consideration once the Twitter OAuth
implementation has matured a bit.
Josh
Feel free to check out the modifications I made for Adium:
http://hg.adium.im/adium/file/tip/Plugins/Twitter%20Plugin/MGTwitterEngine
This uses OAuth Consumer.framework and works pretty well. I don't know
how well it translates over to the iPhone (the OAuth consumer part),
but the OAuth details are ridiculously easy.
Beware though, if you venture out of that folder you're going to have
to GPL (that's where the OAuth token exchange, etc, happens. The
example code on the OAuth website should help though).
>
> From my perspective, the requirement to use OAuth has added days of
> overhead to my project (blowing my estimates) and negatively impacted
> the user experience.
I found I was able to do it in a few hours, really.
>
> For what it's worth, I agree completely with Josh; OAuth isn't adding
> value to anyone in this scenario. But it seems I've arrived too late
> to this party. :-(
>
> - Michael
@zacwest
Click the star by it to up the vote.
-Chad